Chairman Gensler Addresses Key Elements of his Agenda

Yesterday, SEC Chairman Gensler addressed key elements of his agenda in a speech before the SEC’s Investment Advisory Committee, which subsequently approved two non-binding recommendations.  Gensler focused on:

• Digital engagement practices (DEPs) used by online trading platforms. The SEC recently announced requests for information and comment in light of potential conflicts of interest between the platform and investors when DEPs are designed to optimize platform revenues, data collection or investment behavior.  The SEC is also focusing on effects on investment advice and fairness of access and pricing, including for protected characteristics such as race and gender.
• Rule 10b5-1 plans. As we’ve previously blogged, Gensler believes the Rule 10b5-1(c) affirmative trading defense has potential gaps and has asked the Staff to focus on (1) mandatory cooling off periods before the first trade; (2) prohibitions against having multiple plans at the same time; and (3) enhanced public disclosure of such plans. The committee’s recommendations address those topics, including:
  • Cooling off period of at least four months
  • Prohibition on overlapping plans
  • Require electronic submission of Form 144
  • Proxy statement disclosure of number of shares covered by NEO or issuer plans
  • Form 8-K disclosure of adoptions, modification or cancellation of plans and the number of shares covered
  • Enhanced disclosure of 10b5-1 trades, including adding modifying Form 4 to indicate plan trades and the date of plan adoption or modification
  • Require all companies listed on U.S. exchanges (including foreign private issuers)
    

The SEC’s filing of its first shadow trading case earlier this month signals the agency’s willingness to pursue actions based on expanded theories of insider trading liability.

In a federal court complaint, the SEC on August 17 brought insider trading charges against Matthew Panuwat, a former business development executive at Medivation, Inc. based on trades he made after learning that the company was going to be acquired by a major biotechnology firm. The case is striking because it alleges not that Panuwat traded in his employer’s stock, or in the stock of its anticipated acquirer, but rather that he purchased stock in a company “similarly situated” to Medivation.

The economic reasoning underlying the SEC’s action is that Panuwat figured the acquisition of Medivation would also enhance the market value of similar or “shadow” companies. The legal theory of the case is that Panuwat had a duty to Medivation not to use information acquired in his role as a Medivation executive to benefit himself by securities trading, and that he misappropriated that information by using it to trade.

This misappropriation theory is not new, but its application to a shadow trade has widely been described as a first by the SEC’s Enforcement Division.

The scope of insider trading liability beyond the classical paradigm of employees trading in their employer’s stock has long been a subject of litigation and debate.  A crucial issue in this  litigation was resolved in 1997, when the U.S. Supreme Court adopted the misappropriation theory in United States

Reverses Position on $120,000 Threshold

On August 19, 2021, the New York Stock Exchange further revised its definition of a “related party transaction” to include the $120,000 quantitative threshold under Item 404 of SEC Regulation S-K that had been expressly excluded from the definition approved four months earlier.

In April, the Securities and Exchange Commission approved revisions to Section 314.00 of the NYSE Listed Company Manual requiring the audit committee of NYSE listed companies to conduct a reasonable prior review and oversight of all related party transactions for potential conflicts of interest. See NYSE Revises Related Party Transaction Approval Rule. The NYSE rule approved in April defined related party transactions as “transactions required to be disclosed pursuant to Item 404 of Regulation S-K under the Securities Exchange Act (but without applying the transaction value threshold of that provision).” As a result of the exclusion of the $120,000 transaction value threshold from the rule approved in April, the universe of related party transactions requiring review and approval by the audit committee of NYSE listed companies could have been broader than related party transactions requiring proxy statement disclosure under Item 404.

Recognizing this, on August 19, 2021 the NYSE further revised Section 314.00 to delete the parenthetical underlined above, thereby providing that the $120,000 value threshold for disclosure purposes also applies to the prior review and approval requirement under the NYSE rules. The NYSE noted that:

In the period since the adoption of [the April] amendment, it has

A recent SEC settlement shed light on data security and privacy concerns that public companies should keep in mind when drafting and filing periodic reports.  The SEC settlement concerned a 2018 data breach at Pearson Plc that resulted in theft of user data, including sensitive personal data.  The Pearson settlement resulted in entry of a Cease and Desist order prohibiting violations of the antifraud provisions of Securities Act Section 17(a), and Exchange Act Section 13(a)’s requirement that foreign issuers file accurate periodic reports and maintain controls to assure this.  Pearson will pay a $1 million penalty as part of the resolution.      

The charged conduct in Pearson’s case focused on language from its SEC filings concerning protection of users’ personal data, and the content of the company’s disclosures after learning in March 2019 that this data had both been publicly exposed and stolen by bad actors. Pearson’s failings represented the latest illustration of a favorite SEC principle underscored in countless enforcement actions, namely, that it is misleading to disclose a potential occurrence as a risk after it has already occurred. In the SEC’s telling, Pearson’s periodic filings continued to make the same standard disclosures of data privacy incident risks, including a statement that it was aware of no such events, even after Pearson learned that its user data had been exposed and stolen. 

Beyond Pearson’s failing to disclose the fact of the data theft, the SEC also charged it with making inaccurate media statements that minimized the nature of the incident. 

SEC Chair Gensler’s comments about cryptocurrency on August 3 were unsurprising in the context of his regulatory philosophy.  He said as much when he concluded with the line “If this [crypto] field is going to continue, or reach any of its potential to be a catalyst for change, we better bring it into public policy frameworks.”  Going back to Gensler’s overhaul of the swaps market during his CFTC tenure, it’s clear he sees the power of regulation to stabilize markets in beneficial ways.  So while crypto regulation wasn’t among the SEC regulatory priorities released in June, it’s clearly coming. The open question is the precise form it will take.  Will we see something closer to the safe harbor approach championed by Commissioner Peirce, or will it be something less industry-friendly? 

The August 3rd speech gave the impression that any forthcoming SEC cryptocurrency regulation may be formulated and dictated without involving representatives of the crypto industry (e.g., Gensler’s crypto comments included that he looks “forward to working with [his] colleagues on the President’s Working Group on Financial Matters” and “stand[s] ready to work closely with Congress, the Administration, our fellow regulators, and our partners around the world” to close regulatory gaps).  While Chair Gensler’s technical chops position him well as a cryptocurrency regulator, it seems that regulating these markets could only benefit from involving representatives from the industry.  The SEC could look to FinCEN’s example as a model; the financial crime regulator relied on numerous interactions with the

The SEC today approved Nasdaq’s board diversity proposal, which will require each Nasdaq-listed company to publicly disclose information on the voluntary self-identified gender and racial characteristics and LGBTQ+ status of the company’s board of directors, subject to certain exceptions.

The information will be required to be presented in a Board Diversity Matrix, or a substantially similar format, on an aggregated basis by specified characteristics. Nasdaq has posted examples of acceptable and unacceptable matrices here. If the company elects to provide such disclosure on its website, then it must publish the disclosure concurrently with its proxy statement. It must also submit a URL link to the disclosure through the Nasdaq Listing Center within one business day after such posting.

In addition, each Nasdaq-listed company, subject to certain exceptions, must have at least two members of its board of directors who are “diverse” (as defined), including at least one director who self-identifies as female and at least one director who self-identifies as an underrepresented minority or LGBTQ+. If a company does not have such diverse directors, it must provide an explanation for not doing so, which could include a description of a different approach.  

Nasdaq-listed companies will have a transition period to meet the diversity objectives or explain their reasons for not doing so, and the timeframe is based on a company’s listing tier:

• Nasdaq Global Select Market and Nasdaq Global Market companies will have, or explain why they do not have, one diverse director by the
  

As companies prepare upcoming periodic reports, they should focus on carefully reviewing and updating their risk factors. Some of the considerations may include:

• COVID Risks. As a number of business sectors improve, it may be advisable to revise COVID-related risk factors to reflect the changing economic climate.  In some cases, the focus may need to shift to address challenges in increasing production, managing supply chains, hiring workers or otherwise responding to increasing customer demand.  In other cases, companies that benefited from dramatic changes in the economy during the pandemic peak may need to address potential risks associated with a return to normalcy.  For example, consider whether recent growth trends are viewed as sustainable in light of the MD&A requirement to discuss “known trends or uncertainties” that the company “reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income.”  At the same time, it may be appropriate to continue to caution investors as to uncertainties as to the future course of the pandemic – particularly as concern with the impact of variants evolves.
• Labor Markets. Many sectors and regions are experiencing labor shortages. To the extent material, companies should consider disclosing in MD&A the effect of labor market conditions on their results of operations, and discussing possible future impacts in risk factors. 
• Hypothetical Risks. Risk factors typically include a wide range of topics intended to warn investors of potential adverse events, most of which may not have not ever materialized. These are included
  

What You Should Do First with Anonymous Reports

There has recently been a rash of similar anonymous whistleblower tips to public companies, each claiming that an unnamed company supervisor boasted about reaping profits from insider trading. The number of public companies receiving very similarly worded anonymous reports leads to the conclusion that they may be hoaxes. While the apparent scheme’s ultimate goals are unclear, companies should be very cautious about engaging with sources of such anonymous complaints, especially given the risk of ransomware and other forms of cyberattack. One theory is that these reports may be the first step in a sophisticated campaign to inject ransomware or facilitate other forms of cyberattack.

These complaints present a challenging development for ethics and compliance reporting systems, since they require companies to quickly assess whether a whistleblower report is bona fide and address issues at the intersection of ethics policies and cybersecurity controls.

Several things should be considered by a company that receives a confidential whistleblower report alleging insider trading that does not name the employee involved:

• The most immediate concern is determining whether the report appears to be authentic and legitimate (regardless of merit), and not a hoax or some form of cyberattack. Anonymous submissions should be handled in accordance with the company’s data and cybersecurity policies and procedures, since files and links are potentially dangerous vectors for cyberattacks. A senior IT employee should review the submission (without seeking to identify the purported whistleblower) and consulted in connection with any engagement
  

Companies listed on the New York Stock Exchange should review their policies on related party transactions and related processes to confirm they are consistent with recent revisions to the applicable NYSE rules.

Longstanding NYSE rules required that “an appropriate body” within listed companies review related party transactions, but did not expressly define what constituted a related party transaction. The conventional wisdom was that related party transactions referred to transactions required to be disclosed under Item 404 of Regulation S‑K, which generally requires disclosure of transactions in which (i) the amount involved exceeds $120,000 and (ii) a related party has a direct or indirect material interest.

In April, the Securities and Exchange Commission approved amendments to Section 314.00 of the NYSE Listed Company Manual. The revised NYSE rule expressly:

• Defines a related party transaction as a transaction required to be disclosed under Item 404 of Regulation S-K without applying the $120,000 threshold thereunder;
• Provides that the audit committee or comparable independent body of the board must conduct an independent prior review of all related party transactions; and
• Requires that the audit committee (or comparable independent body) prohibit related party transactions it determines to be inconsistent with the interests of the company and its shareholders.

As a result of the NYSE’s exclusion of the $120,000 transaction value threshold, for some companies the scope of related party transactions requiring review and approval by the audit committee under the NYSE rule may be broader than the related

On June 15, 2021, the SEC announced that it had settled charges against First American Financial Corporation for failures in First American’s disclosure controls and procedures.  Rule 13a-15(a) under the Exchange Act requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. 

According to the SEC’s order, in May 2019, company management learned from a journalist that the company was experiencing a cybersecurity vulnerability that had resulted in the inadvertent public availability of customers’ personal data.  First American responded by issuing a statement to the press explaining that the company had learned of a design defect that had resulted in “possible unauthorized access to customer data” and had taken “immediate action to address the situation and shut down external access” to the data.  A few days later, First American issued a press release that was also furnished on Form 8-K.  In the release, the company reported that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.”

Contrary to these disclosures, the SEC found that the vulnerability had exposed sensitive personal data, including social security numbers, in over 800 million images of customer documents for a period dating back to as early as 2003.  The SEC also found that the senior executives of the company who were